{"containers": {"cna": {"affected": [{"product": "windows-setup", "vendor": "composer", "versions": [{"status": "affected", "version": "< 6.0.0"}]}], "descriptions": [{"lang": "en", "value": "In Composer-Setup for Windows before version 6.0.0, if the developer's computer is shared with other users, a local attacker may be able to exploit the following scenarios. 1. A local regular user may modify the existing `C:\\ProgramData\\ComposerSetup\\bin\\composer.bat` in order to get elevated command execution when composer is run by an administrator. 2. A local regular user may create a specially crafted dll in the `C:\\ProgramData\\ComposerSetup\\bin` folder in order to get Local System privileges. See: https://itm4n.github.io/windows-server-netman-dll-hijacking. 3. If the directory of the php.exe selected by the user is not in the system path, it is added without checking that it is admin secured, as per Microsoft guidelines. See: https://msrc-blog.microsoft.com/2018/04/04/triaging-a-dll-planting-vulnerability."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-276", "description": "CWE-276: Incorrect Default Permissions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-08-14T16:35:13", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/composer/windows-setup/security/advisories/GHSA-wgrx-r3qv-332c"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/composer/windows-setup/commit/ca9f1435d368e3377e82d60ef0c7b795afa9f804"}], "source": {"advisory": "GHSA-wgrx-r3qv-332c", "discovery": "UNKNOWN"}, "title": "Local privilege elevation in Composer-Setup for Windows", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-15145", "STATE": "PUBLIC", "TITLE": "Local privilege elevation in Composer-Setup for Windows"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "windows-setup", "version": {"version_data": [{"version_value": "< 6.0.0"}]}}]}, "vendor_name": "composer"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Composer-Setup for Windows before version 6.0.0, if the developer's computer is shared with other users, a local attacker may be able to exploit the following scenarios. 1. A local regular user may modify the existing `C:\\ProgramData\\ComposerSetup\\bin\\composer.bat` in order to get elevated command execution when composer is run by an administrator. 2. A local regular user may create a specially crafted dll in the `C:\\ProgramData\\ComposerSetup\\bin` folder in order to get Local System privileges. See: https://itm4n.github.io/windows-server-netman-dll-hijacking. 3. If the directory of the php.exe selected by the user is not in the system path, it is added without checking that it is admin secured, as per Microsoft guidelines. See: https://msrc-blog.microsoft.com/2018/04/04/triaging-a-dll-planting-vulnerability."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-276: Incorrect Default Permissions"}]}]}, "references": {"reference_data": [{"name": "https://github.com/composer/windows-setup/security/advisories/GHSA-wgrx-r3qv-332c", "refsource": "CONFIRM", "url": "https://github.com/composer/windows-setup/security/advisories/GHSA-wgrx-r3qv-332c"}, {"name": "https://github.com/composer/windows-setup/commit/ca9f1435d368e3377e82d60ef0c7b795afa9f804", "refsource": "MISC", "url": "https://github.com/composer/windows-setup/commit/ca9f1435d368e3377e82d60ef0c7b795afa9f804"}]}, "source": {"advisory": "GHSA-wgrx-r3qv-332c", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-15145", "datePublished": "2020-08-14T16:35:13", "dateReserved": "2020-06-25T00:00:00", "dateUpdated": "2020-08-14T16:35:13", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:getcomposer:composer-setup:*:*:*:*:*:windows:*:*", "matchCriteriaId": "96AF5B75-DD24-474E-A464-D9CA5BA790C3", "versionEndExcluding": "6.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Composer-Setup for Windows before version 6.0.0, if the developer's computer is shared with other users, a local attacker may be able to exploit the following scenarios. 1. A local regular user may modify the existing `C:\\ProgramData\\ComposerSetup\\bin\\composer.bat` in order to get elevated command execution when composer is run by an administrator. 2. A local regular user may create a specially crafted dll in the `C:\\ProgramData\\ComposerSetup\\bin` folder in order to get Local System privileges. See: https://itm4n.github.io/windows-server-netman-dll-hijacking. 3. If the directory of the php.exe selected by the user is not in the system path, it is added without checking that it is admin secured, as per Microsoft guidelines. See: https://msrc-blog.microsoft.com/2018/04/04/triaging-a-dll-planting-vulnerability."}, {"lang": "es", "value": "En Composer-Setup para Windows versiones anteriores a 6.0.0, si la computadora del desarrollador es compartida con otros usuarios, un atacante local puede ser capaz de explotar los siguientes escenarios. 1. Un usuario habitual local puede modificar el archivo \"C:\\ProgramData\\ComposerSetup\\bin\\composer.bat\" existente para conseguir una ejecuci\u00f3n de comandos elevados cuando composer es ejecutado por un administrador. 2. Un usuario habitual local puede crear una dll especialmente dise\u00f1ada en la carpeta \"C:\\ProgramData\\ComposerSetup\\bin\" para alcanzar privilegios del Sistema Local. Consulte: https://itm4n.github.io/windows-server-netman-dll-hijacking. 3. Si el directorio de php.exe seleccionado por el usuario no est\u00e1 en la ruta del sistema, es agregado sin comprobar que est\u00e9 protegido por el administrador, seg\u00fan las mejores practicas de Microsoft. Consulte: https://msrc-blog.microsoft.com/2018/04/04/triaging-a-dll-planting-vulnerability."}], "id": "CVE-2020-15145", "lastModified": "2020-08-21T14:54:05.307", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-08-14T17:15:14.377", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/composer/windows-setup/commit/ca9f1435d368e3377e82d60ef0c7b795afa9f804"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/composer/windows-setup/security/advisories/GHSA-wgrx-r3qv-332c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-276"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}